summary refs log tree commit diff stats
path: root/gitlab/issues/target_missing/host_missing/accel_missing/2811.toml
diff options
context:
space:
mode:
Diffstat (limited to 'gitlab/issues/target_missing/host_missing/accel_missing/2811.toml')
-rw-r--r--gitlab/issues/target_missing/host_missing/accel_missing/2811.toml102
1 files changed, 102 insertions, 0 deletions
diff --git a/gitlab/issues/target_missing/host_missing/accel_missing/2811.toml b/gitlab/issues/target_missing/host_missing/accel_missing/2811.toml
new file mode 100644
index 00000000..809b0a49
--- /dev/null
+++ b/gitlab/issues/target_missing/host_missing/accel_missing/2811.toml
@@ -0,0 +1,102 @@
+id = 2811
+title = "The release artifact for 9.2.1 can not be authenticated with the accompanying OpenPGP signature"
+state = "opened"
+created_at = "2025-02-13T23:03:30.409Z"
+closed_at = "n/a"
+labels = ["sysadmin"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/2811"
+host-os = "n/a"
+host-arch = "n/a"
+qemu-version = "n/a"
+guest-os = "n/a"
+guest-arch = "n/a"
+description = """Hi! :wave: 
+
+I package this project for Arch Linux.
+This ticket is to inform you that the release artifact for 9.2.1 can not be validated using the accompanying OpenPGP signature.
+The signature has been created by the OpenPGP key with the fingerprint `CEACC9E15534EBABB82D3FA03353C9CEF108B584` (held by @mdroth).
+However, I am not able to validate the downloaded archive with the provided signature.
+
+Please make sure that the archive has not been tampered with and ideally do a full re-release and re-sign cycle."""
+reproduce = """Download sources and create checksum:
+
+```bash
+curl -O https://download.qemu.org/qemu-9.2.1.tar.xz 
+curl -O https://download.qemu.org/qemu-9.2.1.tar.xz.sig
+b2sum qemu-9.2.1.tar.xz
+062b2ef336dbc488bfd9e6c6a21cd95464ab76a98ce8f66bb314101d25a5dc72815ae4eb28028507c85ddade8a28e00cf8897302645ad6ddd2c093bde1cfba9a  qemu-9.2.1.tar.xz
+```
+
+Get latest version of certificate that can be used to verify the signature:
+
+```bash
+gpg --recv-keys CEACC9E15534EBABB82D3FA03353C9CEF108B584
+gpg: key 3353C9CEF108B584: "Michael Roth <michael.roth@amd.com>" not changed
+gpg: Total number processed: 1
+gpg:              unchanged: 1
+```
+
+Export certificate to file:
+
+```bash
+gpg --export CEACC9E15534EBABB82D3FA03353C9CEF108B584 > mdroth.pgp
+```
+
+Show info about the certificate:
+
+```
+gpg --list-sigs CEACC9E15534EBABB82D3FA03353C9CEF108B584
+pub   rsa2048 2013-10-18 [SC] [expires: 2026-05-11]
+      CEACC9E15534EBABB82D3FA03353C9CEF108B584
+      Keygrip = D85EA26924D8B15B55C659659E2864C375F1547D
+uid           [ unknown] Michael Roth <michael.roth@amd.com>
+sig 3        3353C9CEF108B584 2020-10-27  [self-signature]
+sig 3        3353C9CEF108B584 2024-05-11  [self-signature]
+uid           [ unknown] Michael Roth <flukshun@gmail.com>
+sig 3        3353C9CEF108B584 2013-10-18  [self-signature]
+uid           [ unknown] Michael Roth <mdroth@utexas.edu>
+sig 3        3353C9CEF108B584 2013-10-18  [self-signature]
+sub   rsa2048 2013-10-18 [E]
+      Keygrip = 9561B09210E2442DEE64237DBA17A9E9D7A58B04
+sig          3353C9CEF108B584 2013-10-18  [self-signature]
+```
+
+Try verifying the tarball using gpg:
+
+```bash
+gpg --verify qemu-9.2.1.tar.xz.sig
+gpg: assuming signed data in 'qemu-9.2.1.tar.xz'
+gpg: Signature made 2025-02-12T03:22:55 CET
+gpg:                using RSA key CEACC9E15534EBABB82D3FA03353C9CEF108B584
+gpg: BAD signature from "Michael Roth <michael.roth@amd.com>" [unknown]
+```
+
+Try verifying the tarball using the SOP implementation rsop:
+
+```bash
+rsop verify qemu-9.2.1.tar.xz.sig mdroth.pgp < qemu-9.2.1.tar.xz
+           No acceptable signatures found
+```
+
+Try verifying the tarball using sq:
+
+```bash
+sq cert import mdroth.pgp
+ - ┌ CEACC9E15534EBABB82D3FA03353C9CEF108B584
+   └ Michael Roth <michael.roth@amd.com> (UNAUTHENTICATED)
+   - imported
+
+
+Imported 0 new certificates, updated 0 certificates, 1 certificate unchanged, 0 errors.
+
+sq verify --signature-file qemu-9.2.1.tar.xz.sig qemu-9.2.1.tar.xz
+Error verifying signature made by CEACC9E15534EBABB82D3FA03353C9CEF108B584:
+
+  Error: Message has been manipulated
+0 authenticated signatures, 1 bad signature.
+
+  Error: Verification failed: could not authenticate any signatures
+```"""
+additional = """On Arch Linux we use the provided release tarball and verify it using the detached signature.
+For validation we rely on the OpenPGP certificate with the fingerprint `CEACC9E15534EBABB82D3FA03353C9CEF108B584`.
+The fingerprint is locked in our [build script](https://gitlab.archlinux.org/archlinux/packaging/packages/qemu/-/blob/7cddf5aa82542d6ba511a22aeaa8eca6d6e7d949/PKGBUILD#L158)."""